Scenario: Multiple users need to share a key and each of the users must be unique. The users need to have access to the keypair, but the key needs to be protected so that if the private key is ever exported and taken to another system, the key must remain unusable.
This scenario is possible when using the PGP Encryption Server (Symantec Encryption Management Server) in Server Key Mode (SKM Mode). SKM Mode provides individual users with a keypair in which the end user never needs to enter a passphrase, and the key is protected while in the local keyring managed by Symantec Encryption Desktop.
Access to this SKM key is available by uploading the keypair to the PGP Encryption Server after adding additional User IDs to it and removing non-user specific User IDs. When the users enroll, the SKM keypair is downloaded from the PGP Encryption Server. A random passphrase that is not know by any user is assigned the key. When the user logs in to Windows, the SKM key is unlocked.
Even if the keypair is exported from the local encryption desktop keyring, the random passphrase protects the key and this is not stored anywhere for access.
This document goes over the steps on how to configure this key, and using Symantec Encryption Desktop to make needed modifications to a Keypair.
Considerations: Because this article deals with a keypair, it is advised that multiple administrators be present to ensure chain of custody of this keypair. Once a keypair is exported to a desktop, it will be usable. Once the necessary modifications have been made to the keys, the keypairs with the known passphrase should be securely wiped.
Definitions: In this document, we’ll refer to the SED client that enrolled with PGP Encryption Server the “Managed” client. For the SED client that is not enrolled to the server, we’ll refer to this system as the “Standalone” client.
Prerequisites: Two to three machines that have Symantec Encryption Desktop. At least one machine will be a standalone client that will be used to make needed modifications to the key for final upload to the PGP Encryption Server to individual user accounts.
For Another Method using a "Shared Key" with Symantec File Share Encryption, see the following article:
225452 - Using File Share Encryption to send encrypted files to Group Keys (Shared Method)
Part 1 of 3: Creating, Modifying and Uploading a Shared Key
Step 1: Create a Consumer Policy on PGP Encryption Server and within the key settings, check only the SKM option:
Step 2: Create the keypair. The preferred method to create this key is to enroll the first user to the PGP Encryption Server using a managed client, which will create the SKM key.
Step 3: Once the first user is enrolled, login to the PGP Encryption Server and download the keypair to the standalone machine. In this test, we have enrolled a user named “User1”:
Step 4: Once enrolled, notice the key and how it was generated. In this example, the managed domain is example.com, so the organization will be downloaded as well:
Step 5: Now double-click on User1’s key to display the key properties. Notice the Key ID is 0x88EE78AEE. This is important as we go through these steps. The Key ID is unique to each key and in this scenario, we will be using this same key for multiple users to create a “Shared” key situation:
Also notice that there is no ability to “change passphrase” in the Key Properties. Because this is an SKM, it is protected with the random passphrase that nobody knows, and therefore, there is no passphrase entry. Even if you export the keypair, and import to another SED client, the key will be unusable, because there is no known passphrase.
Step 6: Next we will be adding an additional user ID to the 0x key named “User2”. We need to go to the standalone client to make these changes. Login to the PGP Encryption Server and under Keys, Managed Keys, look for User1’s key with the associated Key ID:
Click the Key, and then click Export:
Select Keypair, and enter a passphrase that only you and additional security members will know and then click Export, and save the file to the standalone machine where we will be making these changes. Give it a name “User1-SKM-Exported-Keypair.asc”:
Step 7: On the standalone machine, import the keypair you exported from the PGP Encryption Server. To do this, double-click on User1’s key and confirm the prompts to import.
Step 8: Now open the Key properties of User1’s key, similar to Step 5. Click on “Add Email Address”. In this example, we will add user “User2”, with the associated email address. Once you click “OK”, you will be prompted to enter the passphrase for User1’s key to add the additional User ID:
Step 9: Once User2’s user ID is added, we will set “User2” as the “Primary Name” for the key. To do this, right-click the envelope for User2, and select “Set as Primary Name”. Confirm User1’s passphrase again:
Step 10: Now User2’s User ID will appear as the primary ID. Delete User1’s User ID by right clicking the key and selecting “Delete”:
Step 11: Once you delete User1’s user ID, the key now looks only like User2’s key, however, the Key ID will still be the same. Adding an additional user ID, simply adds a name to the key, but the PGP fundamental key material remains the same.
Notice the Key ID did not change:
Step 12: With User1’s User ID removed from the key, export the Keypair so that only User2’s User ID and associated email address appear on the key. To do this, right-click the key and choose Export, and then be sure to check the box “Include Private Key(s)”, and then give it a name. In this example, we’ll name it “User2-SKM-Exported-Keypair.asc”. Save this along with User1’s keypair from Step 6.
Step 13: Now we are going to add yet another User ID by following the same steps as before, but this time we’ll use he User ID of “User3”. Be sure to delete the User2 User ID similar to how we did before:
After following the steps as before, you’ll end up with key looking completely different, now named “User3”:
Notice the Key ID. It hasn’t changed. Now Export the keypair and this time, give it a name of “User3-SKM-Exported-Keypair.asc” and save to the same place. Now you’ll have three keys, one for User1, User2, and User3.
Step 14: We should already have a user on the PGP Encryption Server called “User1”, but now we want to upload the two exported keys for User3 and User2 to the PGP Encryption Server. This will create two new users by these names, and each of them will have the same key.
First, upload User2’s key under Consumers, Users, Internal Users. Select “Add Internal Users”:
Next, browse to User2’s key, and then enter the passphrase of the key (previously created when exporting User1’s key from the PGP Encryption Server):
By entering the passphrase, this sets the keymode as “SKM”, just like User1’s key. Do the same for User3’s key. You’ll now have three unique users using the same key (notice the Key ID is the same):
Part 2 of 3: Encrypting to the Shared Key, and decrypting as each individual user.
Now that we have three unique users with the same key, enroll these other users. This can be done by logging out of User1’s profile, and then logging in as User2 and User3’s profile. The enrollment prompt will appear for each user. Enroll as you did for User1, and as you do, you’ll notice the same SKM Keypair will be downloaded to each individual user’s local keyring.
Because it’s SKM, the keypair is downloaded in a protected mode with the random passphrase. This gives access to the keypair for each of these uses, but they will not be able to make any modifications to the key, or export the key and import to another client. The only way this key can be used, is if the users enroll to the PGP Encryption Server as these accounts.
For this next part, we will encrypt a file to the shared key, and demonstrate that each of the other users can decrypt, all without needing to enter a passphrase.
Reminder: The passphrase is not needing to be entered, because the key is authenticated as the users login to Windows. There is a cryptographic operation that happens to unlock the random passphrase securely.
Step 1: Login as User3 and encrypt a file to User3’s key first. In this test, we’ll encrypt the file “Step12-User3.png”. Right click the file, choose Encrypt from the Symantec Encryption Desktop context menu, and in the Key Selection Dialogue, choose User3’s key:
Note: Although this is “User3’s” key, the Key ID is the same as User1 and User2’s key. The resulting file will be ““Step12-User3.png.pgp”. The .pgp extension indicates it was encrypted:
Step 2: As User3, delete the unencrypted file and then right-click on the encrypted file and choose Decrypt. This will decrypt and output with the original filename.
Step 3: Next, login as User2 and User1 and go through the same steps to decrypt the encrypted file. Because the file was encrypted to the same Key ID, these users will have access to decrypt.
Note: Instead of right-clicking to decrypt, a faster way to decrypt is to simply double-click the file.
Part 3 of 3: Removing Access to the Shared Key
Because each of these users have a shared key, we would assume the reason it’s shared is to perform a duty for a specific group. If this user should no longer have access to this shared key, it is required to do a cleanup of the keys for the user so that they can no longer use the shared key. This section will go over how to remove the keys from the client and the server.
Step 1: In this example, User2 no longer needs access to this shared key, so we will login as User2 and open the Encryption Desktop client. Click on User2’s key, and select “Delete”.
You’ll get a prompt that you are deleting User3’s key. Click OK to confirm:
You will be prompted again to double confirm you want to delete the keypair. User2’s keypair will now be removed from the local keyring in Symantec Encryption Desktop and only the Organization Key will remain:
Step 2: Exit the Symantec Encryption Desktop services from the taskbar menu. Next, go to %appdata%\PGP Corporation\PGP and delete the PGPprefs.xml and PGPpolicy.xml files. This will essentially “unenroll” the client from the PGP Encryption Server.
Step 3: Login to the PGP Encryption Server and open up User3’s account under Consumers, Users, Internal Users, and click on User2. Next, click on “Managed Keys, and you’ll see User2’s key listed. Click the “Delete” icon on the right right and click OK to confirm.
User2’s key should now be removed from the PGP Encryption Server and User2 will no longer have access to this Shared key:
Step 4: Now with User2’s key removed, you can re-enroll User2, and a new key will get created. This time the Key ID will be different than the Shared key.
Step 5: To validate User2 no longer has access, attempt to decrypt the file from the previous decryption test. Upon attempting to decrypt, the following error will appear, indicating the proper keypair is no longer available in the keyring for User2:
Step 6: If the Shared Keypair was exported while the user was enrolled with the managed client, and then imported into an unmanaged client, not enrolled properly to the PGP Encryption Server, there will be a random passphrase on the key that will protect the key, however because this is a random, unknown passphrase, the key cannot be used to decrypt or sign any longer:
Because the random passphrase is protecting the key, there is no way to use the key, even if the keypair is available.